Backdoors Focus on Linux, Windows

Tuesday, February 2, 2016 @ 06:02 PM gHale

A Linux backdoor now migrated to Windows and has new possibilities, researchers said.

The malware was initially on Linux systems, where it had a full set of features that allowed the attackers to monitor all a victim’s activities, including the ability to capture audio and take screenshots, said researchers at Kaspersky Lab.

Researchers found the backdoor was in C++ and Qt, a cross-platform application framework, and it ended up compiled toward the end of September 2015.

Called DropboxCache, also known as Backdoor.Linux.Mokes.a, the malware connects to a hardcoded command and control (C&C) server, after which it performs an HTTP request every minute and receives one-byte images in response, Kaspersky Lab’s Stefan Ortloff said in a blog post.

The backdoor connects to TCP port 433 using a custom protocol and AES encryption to receive data and commands from the C&C server, Ortloff said.

The malware authors didn’t put effort into obfuscating the code in any way, making it easier to analyze, Kaspersky researchers said.

The second backdoor the researchers discovered is OLMyJuxM.exe (Backdoor.Win32.Mokes.imv), which emerged recently on Windows-based systems. The analysis of this piece of malware quickly revealed it is a 32-bit Windows variant of Backdoor.Linux.Mokes.a, Kaspersky researchers said.

The malware uses the SetWindowsHook API for keylogger functionality and for monitoring mouse inputs and internal messages posted to the message queue. The backdoor then contacts the C&C server for commands, and continues to connect to it once per minute by sending a heartbeat signal via HTTP (GET /v1), the same as the Linux variant.

The bad guys behind the malware designed it to receive commands and to upload or download additional resources via TCP Port 433. The Windows backdoor uses the same filename templates to save the obtained screenshots, audiocaptures, keylogs and other arbitrary data, researchers said.

Further analysis of the program revealed it also includes code to capture images from a connected camera, such as a built-in webcam. Additionally, Kaspersky researchers said, unlike the Linux variant, the Windows malware has the keylogger active from the start.

However, the same as the Linux backdoor, this malicious program’s binary contains a series of suspicious strings. To ensure Windows does not find the malware suspicious and it does not ask users to confirm execution, the authors used a trusted certificate issued by COMODO RSA Code Signing CA, but the researchers did not share the name of the entity which the certificate ended up issued to.

Kaspersky Lab researchers said the malware appears to be platform independent, saying it might not be too long before a Mac OS X variant emerges.